Cheap Web Space, Domain Name:
Web Space With E-Mail, PHP/MySQL.

Symptom

The Let's Encrypt SSL certificate can not be created with a 403 error, or certificate renewal fails with a 403 error, even though the certificate was previously installed without any problem.

Cause

To create or prolongate a certificate, Let's Encrypt writes a token file to the /.well-known/acme-challenge directory. This token is obtained over the Internet. This confirms that the host wishing to set up the certificate really does operate the domain for which the certificate is to be issued.

You use software or a plug-in to software that generates search engine friendly URLs with modRewrite rewrite rules in the .htacces file. It will also redirect all calls to files in the /.well-known/acme-challenge- path, so that the important technical files stored there, including the SSL tokens for SSL certificate renewal, are no longer accessible.

As a result, if Let's Encrypt wants to confirm the token, the website will return an "403 forbidden" error.

Solution

To allow access to the token, you must exclude the /.well-known/acme-challenge directory from any rewrite rules. To do this, add the following three lines to the beginning (important!) of your .htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge [NC]
RewriteRule .* - [L]

These three lines ensure that no further rewrite rules will be processed whenever a file is retrieved from the path /.well-known/acme-challenge. This keeps files in this path available even if subsequent rewrite rules would actually redirect the request to another path or file or block its retrieval.

Overview of frequently asked questions